The ip package, a utility for working with IP addresses in Node.js, saw a notable update with version 1.1.9 released on February 19, 2024, following version 1.1.8 released on May 11, 2022. Both versions maintain the same core development dependencies, including eslint for code linting and mocha for testing. They are licensed under the MIT license and share the same repository and author, Fedor Indutny, indicating continued maintenance and a stable project.
A key difference lies in the dist section, specifically the unpackedSize. Version 1.1.9 has an unpacked size of 15451 bytes, whereas version 1.1.8 had an unpacked size of 13561 bytes. This increase suggests that version 1.1.9 likely includes additional features, bug fixes, or code improvements that have expanded the library's footprint slightly. Developers considering upgrading should note the increased size but may benefit from the included enhancements made over almost 2 years of development. This update might address potential compatibility issues, introduce new functionalities related to IP address manipulation, or improve existing methods for efficiency or security. Always refer to the official release notes for detailed change logs.
All the vulnerabilities related to the version 1.1.9 of the package
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
